Re: CGI security on a shared web server (fwd)

From: Lee E. Brotzman (lebat_private)
Date: Wed May 29 2002 - 14:28:23 PDT

Next message: Jeff Dafoe: "RE: CGI security on a shared web server"

Previous message: dreamwvr: "Re: CGI security on a shared web server"
In reply to: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Next in thread: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Next in thread: Pavel Kankovsky: "Re: CGI security on a shared web server (fwd)"
Reply: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 29 May 2002 11:04:30 +0200, Steffen Dettmer said:
> I don't see why someone would suEXEC setuid perl scripts.

I don't suEXEC setuid perl scripts. I don't suEXEC *any* scripts. That's what 
I've been saying all along.

> SuEXEC
> already does setuid to the owner of that script - and I think it
> may even refuse execution if setuid bits are set. At least SuExec
> makes some tests, check docs.

I've checked the docs, read the source code, and used it for a moderately
extensive project (only about 30 CGI programs with ~5,000 lines of Perl code).
The experience led me to drop using it for the reasons I've already enumerated.
In my experience with suEXEC, the benefit of using the wrapper program did not
outweigh the risk of running all CGI programs with a real userid. Of the 30 or
so CGI programs in the project, only 8 had to have any elevated privilege. The
rest were just fine running as user "web" or whatever the web server UID was.

On Wed, 29 May 2002 11:59:44 EDT, "Jeff Dafoe" said:
>Running end users' CGIs as the same user as the web server is asking for
>problems, IMHO. 

Perhaps, if you also have the web pages, or other files/directories, owned by
the same UID as the web server. I think you're better off if there are no files
owned by the UID of the web server, whether that's 'nobody' or some other
special-purpose UID.  If your document root and its pages are owned by the web
server UID, then definitely you are better off using suEXEC to shuttle all CGI
programs to other UID/GIDs. As long as the web server doesn't have any
privileges to alter any files on the system, the threat from running CGI
programs with that UID is reduced significantly, though.

As a final word -- thankfully, this is my last follow-up -- all of these
decisions depend on the situation. I resist the notion that suEXEC is some
panacea. I freely acknowledge that there are situations where suEXEC is
helpful. I would hope that others would recognize that there are also reasons
*not* to use it.

-- 
-- Lee E. Brotzman                    E-mail: lebat_private
-- Allied Technology Group            Phone : 814-861-5028

Next message: Jeff Dafoe: "RE: CGI security on a shared web server"
Previous message: dreamwvr: "Re: CGI security on a shared web server"
In reply to: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Next in thread: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Next in thread: Pavel Kankovsky: "Re: CGI security on a shared web server (fwd)"
Reply: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 30 2002 - 10:10:37 PDT